Top 8 Areas You Shouldn’t Miss While App Security Testing

Internet has created unlimited opportunities by enabling organizations to conduct business and share information on a global basis. Most of the times this information is critical and cannot be compromised. Therefore, it has also brought new levels of security concerns. It reveals valuable information, mission critical business applications and consumer’s private information to more risk than ever before. The developers, QA and the management persons also, play a vital role in securing the applications, networks, etc.

May it be a web app or a mobile app, security testing is a must to produce a secure and risk free software. Various tools available help in achieving this goal. There is much more to mind-set and skill-set both. Those who just learn tools will continue to only run tools, but an idea is required to hack into the application while tool will aid. Hence, past experience along with a mind-set to detect future vulnerabilities help in providing a flawless application in terms of security.

Following are the few but important areas which should not be missed to create a secure app:

Authentication:

This is the first entry point to the application. Verify if the password is changed the user should not be able to login with the old password. The user account gets locked if the user is entering the wrong password several times. Verify the cookies should not store passwords. Verify password rules are implemented on all authentication pages like Registration, forgot password, change password. Verify the application for Brute Force Attacks

Encryption:

Important information like password, credit card numbers, account number, etc. should display in encrypted format. The cookie information should be stored in encrypted format. Any data transmission over the network should be secured. HTTPS should be used.

Session Management:

Verify if the user is logged out from the system or user session was expired, the user should not be able to navigate the site. The session values should be in an encrypted format in the address bar. Accessing the secured and unsecured web pages directly without login should be prohibited.

Error handling:

If any functionality is not working, the system should not display any errors/exceptions from any application, server, or database information. Because the application errors many times contains information not intended for the user/hacker. Instead, it should display the custom error page. Proper error/exception handling is therefore essential. Improper exception handling leads to Denial of Service attacks and disclosure of system level details.

SQL Injections:

SQL injections is one of the way to get the important information from the databases. Attackers can execute malicious SQL statements on the database to retrieve, update and delete records from the database. Also the attackers can bypass the authentication by injection SQL statements in the password input field while logging in. SQL injection can also be carried by manipulating the URL containing input for SQL query. More often SQL injections are done to produce any database error which reveals the important information about the database. Here exception handling comes in picture.

Applications should have the least necessary privileges to access the db. Applications should not directly build SQL statements based on the user’s input. The input should first be validated.

Cross Site Scripting (XSS):

XSS enables the attackers to insert client side scripts into web pages. If the user input is not validated properly then these scripts will be executed and the security can be at risk. These scripts can get access to cookies of another user which can even be the admin user and the attacker can now use these cookies to impersonate other users.

E.g. Putting <scripttype=‘text/javascript’>alert(‘xss’);</script> in the search box should search for the keywords instead of executing the alert statement. The alert statement can be replaced by any URL which will download malicious scripts on the users’ machines.

Proper validation of the user inputs is a must.

Coding issues:

Verify the “View Source code” option is disabled and should not be visible to the user. Verify the user roles and their rights. For example, the requester should not be able to access the admin page.

Buffer overflow:

In computer security and programming, a buffer overflow is an inconsistency where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety.

Adversaries can trigger buffer overflows by providing inputs which are designed to execute some code, or change the way the program behaves. This may result in un-dependable behaving of the program, including wrong results, memory access errors, a crash, or a breach of system security. Thus, buffer overflows are basis of most of the software vulnerabilities and can be maliciously exploited.

The source code should be analyzed and reviewed before the code is compiled. Numerous tools are available for this task. The code can also be tested after compilation. Numerous tools exist that look for vulnerabilities in a compiler’s low-level assembly code. They also utilize fuzzing techniques, which test software by inputting massive amounts of random data and seeing if errors occur.

Things have changed in the past few years. Attackers no longer target organizations for pride or ego but for profit. Firewalls, SSL, etc. amount to nothing if your application is not secure. Therefore do not trust everything coming from the browser; be on good terms with the developers and produce a flawless and secure app.